Policy | Security | Investigation

Canada

September 14, 2009

Which employee wants to be the target of a criminal investigation into whether public record e-mails were wrongfully destroyed? Observers of a political corruption lawsuit in British Columbia were shocked to learn that – while the well-known lawsuit was pending – IT employees destroyed backup tapes containing key e-mails by executives (i.e., government officials negotiating the sale of the then-government enterprise, BC Rail).

This kind of news sounds sensational in the press. The public naturally wonders what the justification was for erasing records. How much does it cost, citizens ask, just to retain some tapes a few more years? Did someone apply a record destruction policy as a convenient way to eliminate embarrassing evidence? Should the employees not have observed a "legal hold" (also known as "litigation hold") on the records?

Such destruction of records, during an on-going prosecution, could be grounds for a criminal investigation into obstruction of justice, said a local expert quoted in the BC news media.

Such destruction of records may also qualify as spoliation, worthy of sanctions by a court.

Easy to Write Policy | Hard to Follow

In the field of records management, it is easy to write a policy that says an enterprise will destroy records like email regularly, but will apply a "legal hold" when a lawsuit or investigation arises. However, in practice, to institute a legal hold is hard. It is hard for the responsible employees to understand when and where they need to apply a litigation hold.

Consider this issue from the perspective of employees in government agencies or other large enterprises. They don’t want to do anything illegal. But for an employee to stay fully informed of all pending lawsuits and investigations (even well-known ones) can be very difficult in practice. Many employees who have control over email records do not know all of the matters to which they many pertain.

Safer Course

From the perspective of employees, the safer course of action is to retain electronic records of executives generously, for a long time. Modern technology is causing the cost of email retention to drop. To retain a lot of e-mail is not as expensive as retaining a lot paper holding the same content.

July 14, 2009

How are data holders to comply with the swelling riot of data security laws? These laws include breach notification laws, which require that individuals and/or government be notified when the security of private data has been compromised. Perfect compliance is impossible.

Almost all the states have adopted breach notice laws – though they are not uniform – and legislatures are expanding the scope of the laws.

The original law from California (effective six years ago) focused on identity information – name plus social security number, driver’s license number or financial account number. Then the California legislature expanded its law to also include breaches of medical data. That expansion became effective January 1, 2009. Result? In the first five months of 2009, California authorities were notified of a whopping 823 healthcare data breaches, mostly through self-reporting by healthcare entities. That’s just one industry, in one state, in five months. And California authorities anticipate that the flow of notices will rise as people in the healthcare community become better aware of the new law.

A data breach can occur in myriad ways: a misdirected fax or e-mail, a hacking incident or snooping by an employee.

Meanwhile, we see floods of breach notices issued in other states and other industries – retail, nonprofit, colleges, financial, professional services, water districts, school districts, county government, municipal government, state government, federal government. No organization is immune. As these laws sit longer on the books, the flow of notices grows larger and larger.

Why are there so many notices? The reason is that the laws assume that 100% data privacy can reasonably be achieved. They further assume that any shortcoming (or suspected shortcoming) of data privacy should be an unusual event within well-managed enterprises. The assumptions are wrong. The expectations of the public, and especially the expectations of policy makers, are out of touch with the reality of modern data management. These outsized expectations contribute to a growing risk of monetary liability on the part of data holders.

So what are data holders to do? Obviously they need to invest in data security, training and investigation – and they have been. But banks, schools, utilities, clinics, hospitals, merchants and government agencies can throw massive investments at this problem and never meet present expectations.